Monday, July 31, 2017

Imagine how it embarrassing when a pick pocket steal the
stuffs from cops which is same when hackers hack in to the system of threat
intelligence analyst. Yes, the hacker hacked in to the system of threat
intelligence analyst from Mandiant Security. It was one billion USD worth
company when FireEye acquired them in 2014. Leaked dump contains sensitive
information such as network topology, threat intelligence profiles for the
Defence forces from Israel. And also it contains company worksheets.
#leakTheAnalyst is the tag found in the social network.

When we look in to the leaked details it shows that how
hugely they targeted the particular threat intelligence analyst. We feel it
could be an insider job by targeting one particular employee, kind of spy
inside the organisation.

This is a depth of the breach shown in the leak. Let see the below snapshot:

One of the worst thing is it kills the career of cyber-security person called Adi Peretz.

Victim #1 Profile:

--- Name: Adi Peretz

--- Op. Nickname: Mr. Muscle AKA FatFuck

--- Position: Senior Threat Intelligence Analyst at Mandiant

In the leak they mentioned as the victim analyst got a HR interview with Novartis and they sarcastically mentioned as it might be cancelled.

Sunday, July 30, 2017

This post is regarding road trip experience as post from our friend. They actually from Chennai to Thiruvarur via Pondicherry. It was almost 300 km distance and most of the time it was raining during the journey.

Chennai to Thiruvarur Via Pondicherry (aka Puducherry)

They started their journey on Friday early morning 12:05 AM. Before the journey starts they were like it takes 7 hours to reach Thiruvarur. And the filled fuel tank for 1000 rs, i.e. nearly 15 litres of petrol. The cost of the petrol 67 rs and some paise. The gang started their journey and chose OMR road (old mahabalipuram road) reached Pondicherry by 1:45 AM. Actually that is best speed ever I heard. Usually the time taken to reach Pondicherry is almost 3 hours but the gang reached there in 1 hour 40 minutes.
In that they taken a stop and good tea. They had a chat regarding petrol price in Pondicherry and directly went to the nearest petrol pump. For their surprise, petrol price was only 63 rs and some paise. They put petrol for 1700 rs. and it was a good saving. Again they started from Pondicherry heading towards Thiruvarur, they heard like it had some heavy raining hours back, but luckily during their travel they seen only good lightning. Google Map is the best guide for them during the whole journey. And saavn the songs app, helped them to stay focused and keep up the enjoyment without any sleep. Only peppy numbers where hitting their sound systems.
And they reached Thiruvarur before 5 AM. That was so fast. They saved more than 2 hours in the journey.

Thiruvarur Tank on Map

Travelling Back To Chennai:

This time they started at 10:35 PM on Saturday night. Within a minute they got struck in the temple function traffic. The rally of temple idol worshipping statues were going and people where watching and praying in the street. Good fireworks were seen in the night.

The video of temple function is in the above video. Check this rally function.

During the journey, it had good raining and they captured the video of that and uploaded in the youtube.

These videos taken during heavy rain in their journey back to Chennai. This time despite of rain they reached Chennai in same five hour. Kind of fast and furious driving.

000000005CB7 000000407AB7 0 Hello You Are Hacked Now !! All your personal files have been encrypted ! if you want restore your data you have to pay ! Remember you can't restore your data without our decryptor !!!!

000000005E2B 000000407C2B 0 ertyuioppoiuhygtfrdeRFTGYHDEZEFFZEF

000000005E73 000000407C73 0 StormRansomware(at)gmail(dot)com

This list of strings give more details about the file extension or file types targeted by the storm ransomware. And it also give the details on functioning buttons like send moeny to my bitcoin, contact me. It also shown the email id - StormRansomware(at)gmail(dot)com.

Possibly email id and password details will be there. We disassembled the code and please refer the following snapshots of the code:

Email id and password details

Process detail

The following code snippet is regards to the cryptography related stuffs:

Yoga and meditation will bring peace and harmony to our human body as well as for the whole world. Relieving stress from our body will fire up the neurons and bring superior performance on the selected field. Imagine if that performance is added up with laser sharp focus then the output is highly respectable. To achieve that state, Yoga and meditation (two sides of the same coin) will help in that journey.

Thursday, July 20, 2017

In recent campaign for banking malware in excel file is found in the wild. Security researchers from Lmntrix done their research on this and shared their analysis in the recent post.
Please refer their post: https://lmntrix.com/Lab/Lab_info.php?id=32

Let us take a simple scenario. You got a file and it can be executable or non pe file, without any extension. To run that file, you need to keep the file in correct extension eg: .pdf, .ppt, .js, .exe, etc.
Press F2 key after selecting the file will prompt the user to change the file name. So the user can easily change the file name (it includes the extension of the file).

What if you need to change 'n' number of files extension inside the folder?
It is not easy to chose each and every file then changing the extension of the file inside the folder.
We will give you simple command:

ren *.* *.jpg
ren *.* *.exe

The first comment will add .jpg extension for the files inside the folder. And the second one is changing the extension to .exe. Pretty simple commands will get the job done.

Tuesday, July 11, 2017

Nitol is a family of Trojan that performs DDoS (distributed denial of service) attacks, allow backdoor access and control, download and run files and perform a number of other malicious activities on your computer. The Botnet is accessed from a Dynamic DNS Service.

History of Nitol (Discovery):

The Trojan was preloaded during the assembly and manufacturing process in China that came brand new from the factory. These Laptops and Desktops were sold in large numbers (may be because of cheap price) which lead the distribution world-wide.

In August 2011, researchers on the Microsoft Digital Crimes Unit purchased 20 computers (10 laptops and 10 Desktops) from various cities in China. 4 out of 20 machines were found to be infected with malware, and one of those infectors was Nitol.

Malware Name

SHA1

Behavior

Nitol

99624d63106ccff4a2e2feb9d32437bfd2f183ab

HTTP Backdoor

Trafog

a6293ac854ade333a1faa3acabb15dfe777d5bae

FTP Backdoor

EggDrop

E4E583E7FA0CF566586D828DB019F2C7291C4F39

Suspicious – non-malicious

Malat

37e4be0b473ceba6144fa5b900cae52b4c85c47e

IRC Backdoor

The computer that was preloaded with Nitol was the only one that was actively running and had attempted to connect to a command and control (C&C) server.

Infection statistics of Nitol taken from Microsoft Telemetry.

The most commonly used Nitol Domains:

Distribution of Malware Using
3322.org

On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently Sink-holing the 3322.org domain.

Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sink-holed

LPK.DLL is used to exploit the module loading process used by Windows when it runs applications. Since applications look for LPK.DLL in their current directory before any other place, Nitol will get loaded before the file (of the same name) provided by Microsoft in the System32 directory.

The working of the Installer is Simple
Find the Resource ( Mutex and Dropper)
Register the Mutex
Drop a file from the RCData Dropper in the %temp% with prefix hrn
Infection code for loading Hidden copy of lpk.dll and code for spreading

The working is shown clearly in the Diagram:

Now the main file of Nitol has dropped a file in Windows\System32 and also dropped a copy of infected LPK.DLL with name hra33.dll which is later deleted.

Dropped %C%C%C%C%C%C.exe

MD5 - B339DE14BAE1157E652B0EA7D070113E

This sample is the most important part of the Analysis as this is responsible for creating the service, Registry Entry, Downloading files, Performing DDOS attacks.

It can be observed that the file is having a lot of NOP’s right from the winmain of the Dropped file which might be place-holder to be replaced by active instructions later on in program development.

Creation of service -

Dropped file in temp with prefix hrl given a random name of six characters
-

Injection of code in Svchost.exe:

Svchost.exe in memory:

Network Connectivity related Events:

The connectivity is not established because of the take down of the
botnet:

There are some binaries downloaded by Nitol to perform these actions

plusctrl.dll – MD5 - 99E6D6A21A452A24759FD50FB2874BCE

hra%u.dll (hra32.dll) – MD5 - 22F2C6088367D608D455ED73527DA02B

Stf%C%C%C%C%C.exe

These files are downloaded and are used by the Command and Control server for performing various actions.

Thursday, July 6, 2017

Learn coding
and make software is a passion for many people. Those people need learning
resources to get achieve their goal and become software developer and best
programmers. With that dream, many people in India enrols them in computer
teaching centres and join computer engineering courses. The way of teaching is
not best and many frustrated to get the job after completing their course.
After many struggle only, many land their dream profession. In a country like
India, the need for computer programmers is growing in exponential rate. But if
we check their understanding of the programming concepts then answer seems not
positive. Based on all these points in mind few people stand out and trying to
fill that missing pieces. In that way, we are going to see about Nutpamsoftware.

Their aim is
to take technologies to the youngsters of India in such a way that each
individual get a large scope of knowledge in practical working rather than just
completing their degree. They were formed in the aim of creating a path break
to change the current education system. Their ultimate goal in this process is
to creating Powerful Man (Entrepreneurs) by imparting the complete knowledge
about the Technology while they pursue their education.

Teaching style

They come
with idea of ‘Pora Pokkula Programming’
meaning ‘programming on they walk’. It is by giving memes and videos in simpler
way to understand the programming concepts.

This is
simple addition program. Very easy to understand how the program is working!!!

Error 1: Use of Unassigned variable

Unassigned Variable

Error 2: Cannot implicitly convert from datatype1 to
datatype2

Error 2

Future Vision

·To
Highlight the value of the course, the engineering students studying and make
them more confident on what they can do. One step ahead in near future we are
planning to ensure technology practices to younger generation in school level.

·To
launch a programming language in Tamil so that in future every developer
working the language would have a more précised knowledge in development.

Wednesday, July 5, 2017

CVE-2017-0199 is found in the latest malware campaign. For
this vulnerability, patch was already available in Microsoft security updates. This
vulnerability is about the execution of arbitrary code via a crafted document
by remote attackers.

Saturday, July 1, 2017

After Wannacry ransomware attack, Petya ransomware comes with new
wave of attack. This ransomware campaign is currently taking place which has
already impacted companies in countries across the world including the Ukraine,
Spain, Russia, Netherlands, France, and India. Industries which we are aware of
that have already been hit by this cyber-attack include the telecommunications,
banking, transportation, life sciences, food & beverage, and power &
utilities sectors.

The criminals behind the ransomware are requesting a ransom USD 300 in
bitcoin – reportedly to be paid within three days - or else all files on the
computer will be deleted (see screenshot below).

Possible mode of entry:

Petya ransomware spreading mechanism is email spam in the form of
boobytrapped Office documents. These documents use the CVE-2017-0199 Office RTF
vulnerability to download the installer and it leads to the execution of SMB
worm to spreading like Wannacry ransomware. Wikileaks

The generalized description as execution of arbitrary code using
crafter document by remote attackers. Remote attackers meant that mode of entry
as email spam. We received samples for analysis and based on our analysis we
made the following findings.

Actually this sample is very famous due to the many researchers
given their opinion on this sample. So while doing our manual analysis, we
simultaneously found the automated analysis report in the online platforms. But
that sample is dll file, so we choose to continue our manual analysis. During
our analysis, we also received another dll sample:

We compared the compilation time of those samples and found mostly
similar in timestamp.

The file properties are almost similar but when we checked the
libraries and it is confirmed. Both this files are similar behavior only.

crypt32.dll Crypto API32

iphlpapi.dll IP Helper API

ws2_32.dll Windows Socket 2.0 32-Bit DLL

mpr.dll Multiple Provider Router DLL

netapi32.dll Net Win32 API DLL

dhcpsapi.dll DHCP
Server API Stub DLL

The above dll were used by ransomware samples during encryption,
downloading, etc. Our interest goes to crypto API, which have the following
functions called CryptBinaryToStringW,

CryptStringToBinaryW, CryptDecodeObjectEx. These functions used in
converting array of bytes to formatted strings. Further we look in to the
strings of the file and we noticed the encryption related strings:

Since this is dll file (non com dll) it needs to register via
rundll32.exe. We know that no user going to call the rundll32.exe to execute a
dll file, meaning a normal user don’t know how the dlls are executed. Actually
dll files are executed by the parent exe files. If we look in to the codes and
strings, we can see the rundll32.exe calling and where our sample is stored.

In the above strings, we clear see that process call create which
goes to rundll32.exe (physical location). And it again point to the physical
location file in windows location. But this didn’t confirm whether this sample
or any other files to be executed. So I copied the dll file to windows folder
and execute the following command:

rundll32.exe <sample name.dll> #1

After that step, I refer the code of the dll and found the
following:

So there is some connection between the file execution, schtasks
and shutdown.exe. After executing dll, we saw schedule task is added.

It created At1 and scheduled for exactly one
hour after the creation of this schedule task. Our guess or instinct says it is
for shutdown call like we saw in the previous screen shot.

Our analysis is correct that schedule task
actually for shutdown the system. After the restart it brings to ransom note
page:

So we cannot access our file and it is encrypted. Payment
instructions, bitcoin wallet details and purchased key prompt is blinking to
enter. We randomly type some text and it throws incorrect key error.

Email address associated with this ransomware:

wowsmith123456(@)posteo(.)net

Current status of this email address:

Posteo is an email service provider offering the paid email
accounts. In this petya ransomware case, attackers used posteo address as a
contact option. Their abuse team checked this and blocked that contact address.

Hence, paying the ransom can’t be assured that victim will receive
the decryption key from the attackers. They can’t contact the attacker using
the email address.

We collected associated domains and ip for detection purpose with
this post.

Ransomware spreading Url:

·benkow(.)cc

·Coffeinoffice(.)xyz

·french-cooking(.)com

·sundanders(.)online

·casconut(.)xyz

·blumbeerg(.)xyz

·insurepol(.)in

·whitefoam(.)org(.)uk

·xfusion(.)co(.)uk

·affliates(.)in

·hyporus(.)in

·dantan(.)club

·kababmachatu(.)xyz

·damodot(.)xyz

·ballotvize(.)xyz

Bitcoin addresses: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

C&C payment servers:

·mischapuk6hyrn72(.)onion/

·petya3jxfp2f7g3i(.)onion/

·petya3sen7dyko2n(.)onion/

·mischa5xyix2mrhd(.)onion/MZ2MMJ

·mischapuk6hyrn72(.)onion/MZ2MMJ

·petya3jxfp2f7g3i(.)onion/MZ2MMJ

·petya3sen7dyko2n(.)onion/MZ2MMJ

Possible IP address

·185.165(.)29(.)78

·84.200(.)16(.)242

·111.90(.)139(.)247

·95.141(.)115(.)108

·89.146(.)220(.)134

Action steps:

Detection rules like snort, yara were available from independent
sources in the net for this petya variant. Apply those snort rules in order to
detect this ransomware attacks. Blocking ransomware spreading domains and IP in
the Firewall and Proxy will prevent the attack. We recommend to block SMB port
access and RDP (Remote Desktop Protocol) to all computers from the internet.
Port 445 and 139 for SMB and 3389 for RDP should be blocked. We request to
ensure that all windows OS are patched with latest security update especially
MS17-010.

echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc

echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dll

echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dat

attrib +R C:\Windows\perfc

attrib +R C:\Windows\perfc.dll

attrib +R C:\Windows\perfc.dat

echo Computer vaccinated for current version of NotPetya/Petya/Petna/SortaPetya.

echo.

)

) else (

echo Failure: You must run this batch file as Administrator.

)

pause

Further Attack wave in Ukraine:

While writing of this analysis report, we came to know about
wannacry clone attacks happening in Ukraine. We got three samples for analysis:

Sample1: MD5: 0BDE638B274C7F9C6C356D3987ED1A2D

Sample2: MD5: 87BE992695B752D86AEAB1116EB5393F

Sample3: MD5: 5C7C894A1CCFD8C8E0F174B0149A6601

All these three samples are .net compiled files:

Reversing the samples for analysis:

These samples shows like they were compiled on Jan 1 2016, but when we
search those hashes in VT and they seems to be uploaded couple of days back
only. So they were actually new samples only and compiling date seems to be
customised or modified by the malware author.

The sample one shows that wannacry strains inside the code. We
manually checked in other two samples too, they also have the same strains in
the code. We successfully found the code of this samples.

The above code snippet deals with keys, file extensions targeted
and details about the encryption tool. We moved on to the next sample and it
contains resources in the form of images for bitcoin details, ransom note
details.